New Knowledge Pack Released (KP-2021-007-E)

Naming Update

Beginning with this Knowledge Pack release, the month-based naming convention will shift to one that uses the 4 digit year, followed by a triple digit series number and when required due to revisions, may be followed by a letter to indicate iterative versions prior to release.

Each Knowledge Pack contains the latest indicators of compromise from the Dragos Threat Intelligence team, automating the detection of activity that could identify malicious activity on an industrial network. They also provide regular updates of the latest protocols, threat intelligence analytics, ICS/OT device data, and investigation playbooks to equip our customers with proactive, comprehensive information to better understand their environments and detect advanced threats.

Knowledge Pack KP-2021-007-E includes a number of key updates that customers have been asking for and we know will be appreciated. Among them is the following sample:

Characterizations

• Emerson Ovation – DB transmit summarizations over UDP, host name and database identifications, important to customers serving the power and water industries.
• Schneider Electric – identification of SE devices and traffic summaries over SE Unity protocol (a Modbus subset), common in environments with Modicon PLCs.
• Additional Asset Identifications – using HTTP User-Agent, SNMP DysDescr, and SMB Browser Server strings.

Detections

• Schneider Electric – monitors for activity related to SE Unity program and logic upload and download plus PLC commands that are usually benign but could signal attack activity.
• Moxa – certain attacks like Service Agent authentication bypass and device cross-site scripting (XSS) techniques to alter configuration settings or execute Javascript commands.
• Goose protocol– typically used legitimately in substations by Intelligent Electronic Devices (IEDs), the presence of test packets or parameters signaling that a device requires commissioning or configuration outside of an expected maintenance window may indicate adversarial activity.
• Administrative activities – certain registry values set to null, especially if paired with the deletion of certain SCADA files, IEC104 file transfers, and new unexpected DNS lookups could raise flags for further investigation.

With each release, customers will find that the Platform detections have MITRE ATT&CK® Tactics and Techniques mapped to them, providing a common reference for known attack behaviors. Earlier this year, Dragos participated in the 2021 MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems with strong results. If you could like to learn more about the MITRE ATT&CK framework and how to put it to use in your organization, we invite you to download our whitepaper, “Mapping Industrial Cybersecurity Threats to MITRE ATT&CK for ICS”.

For more background on Dragos Knowledge Packs and how we continuously funnel our expertise into the Dragos Platform, we welcome you to read this overview or contact sales@dragos.com.